Cryptology ePrint Archive: Report 2007/176
Seven-Property-Preserving Iterated Hashing: ROX
Elena Andreeva and Gregory Neven and Bart Preneel and Thomas Shrimpton
Abstract: Nearly all modern hash functions are constructed by iterating a
compression function. At FSE'04, Rogaway and Shrimpton [RS04] formalized seven security notions for hash functions: collision resistance (Coll) and three variants of second-preimage resistance (Sec, aSec, eSec) and preimage resistance (Pre, aPre, ePre). The main contribution of this paper is in determining, by proof or counterexample, which of these seven notions is preserved by each of eleven existing iterations.
Our study points out that none of them preserves more than three
notions from [RSh04]. In particular, only a single iteration preserves Pre, and none preserves Sec, aSec, or aPre. The latter two notions are particularly relevant for practice, because they do not rely on the problematic assumption that practical compression functions be chosen uniformly from a family. In view of this poor state of affairs, even the mere existence of seven-property-preserving iterations seems uncertain.
As a second contribution, we propose the new Random-Oracle XOR(ROX) iteration that is the first to provably preserve all seven notions, but that, quite controversially, uses a random oracle in the iteration. The compression function itself is not modeled as a random oracle though. Rather, ROX uses an auxiliary small-input random oracle (typically 170 bits) that is called only a logarithmic number of times.
Category / Keywords: foundations / Cryptographic hash functions, Merkle-Damgard, collision resistance, preimage resistance, second preimage resistance, provable security.
Date: received 10 May 2007, last revised 30 Oct 2007
Contact author: elena andreeva at esat kuleuven be
Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation
Version: 20071030:142915 (All versions of this report)
Short URL: ia.cr/2007/176
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]